Date: Wed, 05 Oct 2016 14:51:12 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Roger Eddins <support@purplecat.net> Cc: freebsd-hackers@freebsd.org Subject: Re: Reported version numbers of base openssl and sshd Message-ID: <86k2dn9cxr.fsf@desk.des.no> In-Reply-To: <0ee9d33e-9be2-4fd7-abc2-2285cc4bd4a2@typeapp.com> (Roger Eddins's message of "Wed, 05 Oct 2016 08:25:36 -0400") References: <01eb01d21e52$4a7f1640$df7d42c0$@net> <86oa2z9un2.fsf@desk.des.no> <0ee9d33e-9be2-4fd7-abc2-2285cc4bd4a2@typeapp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Roger Eddins <support@purplecat.net> writes: > [...] Across the board we are finding other processes in commerce > tools rejecting transactions due to version number deficiencies and > the problem is growing rapidly. My hope would be that the team would > reconsider the version number question as it is the biggest deficiency > we experience daily using the FreeBSD OS. Once again: how do they handle RHEL? Because Red Hat, the 800-pound gorilla of the Open Source world, does the same thing that we do: backport patches without bumping the version number. And in fact, they do *less* than we do, because for OpenSSL and OpenSSH, we havea version suffixes which should reflect the date of the last patch, so even an automated scanner *can* be taught to distinguish a vulnerable machine from a patched one - as long as secteam remembers to bump the suffix when they patch the software. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86k2dn9cxr.fsf>